Although I understand Microsoft’s point of view and strongly agree with them, the Microsoft-Managed Conditional Access Rules could have done the job. Break-glass accounts are sensitive and their whole purpose is to bypass anything including MFA. This adds a level of risk to these accounts (lost or broken fido2 key, …). Also, can’t seem to understand why Microsoft creates such “standard” things as CA rules, to replace Per-User MFA, they’re adaptive, “universal” in a way that allows Microsoft to push rules to tenant… just to create another specific thing in a dark corner of the room that does the same job but goes over it.

thanks so much!

Microsoft supports MFA resources from non-Entra sources. You’ll have to work the details out with Okta, who are well aware of the situation.

Any account that does not satisfy an MFA challenge will be unable to connect to the Azure sites/administrartive tools after the requirement is imposed, so yes – if those accounts need to use the Entra admin center, Azure admin center, Intune admin center, Azure CLI, and Azure PowerShell.

As I have no visibility into the tools you’re using (versions, configurations, etc.) or what you’re trying to do in your tenant, I suggest that you file a support incident with Microsoft and have their support engineers check things out. That way if an issue is discovered, it will be formally noted by Microsoft and sent to the relevant engineering team.

Until now if MFA is enforced for this account then Azure AD Connect starts raising errors.

Do you know if this affects to the account used by Azure Ad Connect to synchronize on premise AD with Entra?

Thanks again for your great work.

So if you set it to OFF now then MS will not auto-enable it in your org.

It does. You can continue to have a break glass account that is excluded from MFA and doesn’t use MFA, but if a problem happens that account will not be able to satisfy the requirement to undergo an MFA challenge to access Azure administrative tools. For instance, the account could access the Microsoft 365 admin center but not the Entra admin center. To make sure that the break glass account can access everything, it must be able to satisfy MFA. The recommended approach is to use a strong authentication method like a FIDO2 key.